Sep 4, 2024

Demystifying Identity and Access Management with John Giglio

TLDR;

In an organization, the IAM landscape is always a moving target. So, understand the organizational structure and usability of cloud services before setting up the foundation.
Security vs Compliance is an age-old debate. When the security basics are implemented the right way, compliance automatically follows.
For data perimeter security, use different levels of controls at DLP. Read, Write, and Download data should have different controls. This should be derived from user activity and network logs.

Host: Hi, everyone. This is Purusottam, and thanks for tuning into the ScaletoZero podcast. Today's episode is with John Giglio.

John is the director of cloud security at SADA. That's an insight company. He's a former Marine turned cloud security wizard. He knows how to think like a bad guy to help the good guys and even build the security program for what it is now the largest background check provider in the US.

John, Thank you so much for coming to the podcast. For our audience, do you want to briefly talk about your journey?

John Giglio: Sure. Yeah. And thanks for having me. So yeah, I started out in the military. So that's actually where I got my start. So DoD, I was doing all the fun stuff that we call certification and accreditation. So for anybody who doesn't know what that is, it means paperwork, doing approvals, and getting security things approved for the various different networks there in the military.

But learned a lot, got a lot of good concepts got a start, and then moved into the regular world and been doing security. I built up a security program. I did the whole journey to the cloud, which a lot of folks are going through and or have gone through. And so I caught on to this thing called DevOps and sort of never looked back. So I've been doing security in that world ever since.

And now I help our customers adopt Google Cloud and operate in their cloud environments in a secure manner. So, yeah, thanks for having me!

Host: Absolutely. And you're one of our first guests who has been in like Marines and comes with that experience. Right.

I'm I'm sure that we'll get to learn something from today's podcast where you can relate it back to Marines.

Before we start, we generally ask this question to all of our guests and we get unique answers. So,

What does a day in your life look like?

John Giglio: Yeah, good question. So it's not as technical anymore. So at the director level, I do a lot more people management-type stuff now. It's not as technical, but every now and then I get to put my hands on the keyboard and do some nerdy things.

So, but yeah, typically right now it involves conversations with customers, with CISOs, talking about different challenges that they may be having helping them understand how to, like I said, do things securely on Google Cloud. What are the different offerings? How does SATA specifically? We have a whole suite of things that we can help customers with. So I get involved in those conversations as well. And then running a professional services team.

So I have a team of engineers that I work with, and they are absolutely amazing. They are the wizards of making things happen for our customers.

So yeah, I get to work with those folks and kind of lead them and give them a vision and direction. So that's my day, it's various different aspects of that and just helping people out and leading the team. So it's a lot of fun.

Host: Yeah, I can imagine. I think one of the things that you highlighted which struck me is you speak with a lot of CISOs and customers because that's where you have the highest impact.

You learn from them, you guide them in the right way as well, like how to maybe best implement security. So today our focus will be around IAM and cloud governance, which I'm pretty sure you do a lot in your day -to -day. So let's get started.

John Giglio: Yeah. I do. One of my favorites. One of my favorite topics.

Host: I can imagine. So yeah, the first question is, IAM has been in our life for a good amount of time now. I believe it was one of the early services that was rolled out by cloud providers. And it is one of the areas that no one wants to ignore. But before we get into IAM integrity details,

Can you define the ideology of IAM? What is IAM and why does it need a lot of attention?

John Giglio: Yeah, so to me, I mean, so the obvious, I'll go with the obvious answer first, right? Like identity and access management, but yeah, what does that mean? It is, the identity is what controls your access to nowadays, pretty much everything.

I'm sure you've heard people say like identity is the new perimeter. In a lot of ways, identity has become the thing where we control access, but that's, that's where it started really. You know, that's where, that's where I saw it kind of beginning was it's all about the access control. So understanding who has access to different things in the environment. And I think the challenges and obviously we're going to, we're going to talk about some of those today as well, but there's a lot of just moving parts, identity management. It changes a lot.

And there's just, there can be a lot of I don't want to call it bloat, but like overuse or it can be hard to keep up with the amount of change. You just think about in an organization or even, even just your own life, right? Just managing a few people with access to 10 different systems. You know, the each person has their own identity for each system. And so you've got a hundred things now that you've got to manage and then somebody changes their department or they get promoted and now they need access to something new.

And then you're trying to do your day job and somebody's coming to you saying, hey, this isn't working because I don't have access. Right. So it's all of those types of challenges. And I think just the moving parts, the real-life aspects of things where it's just easier sometimes to be overly permissive. We'll certainly talk about that, I'm sure.

But that I think is to me, that's where I spend a lot of time with customers working on these challenges and just understanding how they are managing all of these different aspects of an identity.

Host: Makes a lot of sense. A follow-up question that comes to my mind is, let's say an organization is starting its cloud journey and they want to set up their IAM. It could be a smaller, like a growing startup or a large organization.

What are five key questions that should be considered before setting up their IAM?

John Giglio: Yeah, I think, I think there's a couple of key things. Probably the biggest one to me is how they plan to use the environment?

So a lot of companies that we talk to are doing multiple different environments. So they'll have like a, you know, QA environment, a test environment, you know, like a development type of thing, and then a production environment. So if that's, you know, if that's how they're planning to use it, that obviously will impact how they set up their IAM.

So I think that's a big question. I think another big one is how they want to structure their organization. So their resources in the cloud, how those are going to be structured, divided up between business units, between different teams. That's a really important question as well that has a lot of influence on how you set up your IAM, all your policies for access.

So those are the two biggest ones. I think that's probably where I would start. I don't know if there's five. Five might be a lot for questions, but definitely those two big ones can get you started and inform other questions after that. But those are kind of the foundational ones, I would say.

Host: OK! I like how you defined that it's not just about that, hey, we just create users and just give them access, but understand the org structure a little bit and what are they trying to achieve. And based on that, derive maybe how best the IAM setup can be done.

So let's say once the IM setup is done, let's say MFA is implemented, one of the things that happens with when you build applications or even platforms or tools is that there is an implicit trust feature that gets built, like a remember me type of capability, unless there is a context change that the person earlier used to log in from US. Now we see a login from, say, Australia will ask them, prompt them to re-login or prompt them for MFA. So implicit trust is implemented in many systems. Do you see a challenge in that? Like in

What ways can these access permission compromise the security of the organization in the context of the implicit trust capability?

John Giglio: Yeah. Yeah, I think it's a, it's a tough, it's a tough conversation. So it's, it becomes almost almost always becomes a balance between, you know, we talk about this all the time and security availability versus security, you know, how, how tight do you want to kind of crank down the controls, to the point where, you know, maybe, maybe it almost becomes unusable, right?

If you make that implicit trust time long, Let's say you stretch that out, you give people a few days. That's a nice user experience a lot of times. If the system is remembering them, they can just reopen their same browser and they don't have to worry about logging in. The user experience there is really nice. Users tend to like that.

But if you go the other direction and you kind of tighten that down and you make your token lifetime or something very, very short where the user has to log in again every single time, that can be very challenging. People don't like that one.

So I think there's a balance in there that's definitely an organizational question, right? It's sort of a risk -based question as well. What's the risk tolerance there of the organization? What kinds of other compensating things might you have in place to sort of, again, balance that out?

I think those are, those are some of the important aspects. When we think about that, it's just the, I said, the user experience and the balance of security and other, other controls. There's other things that we can do to balance that out.

So one of those things that I would say, and we always recommend as well, is that thinking about the interaction that the user is having with the system and part of that balance being depending on what action they're trying to take, maybe we have different levels of that implicit trust rate or that remembrance. So if I'm, for example, just logging in, maybe that's not a big deal. Maybe there's not anything in that particular application that I'm logging into that is overly sensitive.

But let's say I'm now in that application and I want to download something that is sensitive from that application, or I want to take some sort of administrative action inside that application now maybe is a good time to say, okay, your remembered long lived token, right?

That implicit trust is now not good enough anymore. We're going to ask you for a refresh and prompt you for another MFA or something like that. So basing it on the activities inside of the application can be a good way to find that balance.

Host: I like the term that you used, risk tolerance. I was hoping that there will be a standard that everyone can follow, but from your answer, what I got is it always depends on the business and even the activity that is being performed. You might have implicit trust, but at the same time, let's say, as you gave an example, you're trying to download a payslip. That means you're doing a sensitive action.

So in that case, maybe the user should be asked to re-login or do a re -MFA in that case. Along with that, like

Any other recommendations that you have where security can be enforced?

John Giglio: Yeah, yeah, there's a couple of other things as well. And I think it's mostly around different parameters and things that we can ask an end user for. So, and some of these, you know, most of these even are transparent to the end user, but things like what device are you coming from? Is it a corporate owned, you know, trusted device that we have some levels of assurance that the device has not been compromised or that particular individual is logged in, right?

We have some additional confidence levels, I'll say, because nothing is obviously guaranteed. But is that a factor or is that a parameter that we can bring in, bring in that additional context about where you're coming from? I think you mentioned the location of the user, right? Is this the same location that I saw you log in from last time? or are you in a totally different place? And is it possible for you to even get to that place in that time frame since I last saw you? You know, those are those are some of the things but yeah that additional context I think is really important to be able to bring and like I said Nowadays you can do that pretty transparently to the end user. You can collect information through the browser now that you know who they are where they're coming from us in many cases even query the device for a certificate or some other proof that it's a corporate owned device. So those are some other aspects as well.

Host: OK, and that makes sense, like not only looking at maybe the activity but also looking at many other context-driven attributes, like device or location or IP or stuff like that, to determine whether the user should be prompted again, whether we can trust that request or not, determine that based on those attributes as well. So the next question that I have is,

We spoke about identity being one of the core components. Data is another key aspect of any business, right? And we got this question from a security leader from a healthcare startup. Especially this happened during COVID. And now after COVID, many organizations have remote first culture now. So in that case, when you have a remote first company, how do you make sure...

How do you use IAM to make sure you provide access to data in a secure manner to your employees?

John Giglio: Yeah, yeah, it's a great question and certainly is relevant now more so than ever. So we talk about this a lot. So some of the things that we just mentioned become very, very important in that context. So of a remote user and somebody logging in from somewhere else, or maybe they're at the beach and they're working from there this week.

So yeah, absolutely. I think enabling that enabling that remote first culture is hugely important and definitely has those security implications. So one of the ways that we can do that now, I think is based a little bit on the application that's being accessed. I see it being a whole lot easier for web based applications. So I mentioned this just a little bit ago as well, like the browser now is kind of the tool, right?

That's the… the thing that everyone is using to access most of their applications, I think Google studied this or released a survey on this, right? It was like 85 % or something like that now through the web.

So bringing security into the browser is actually a really interesting way to enable that because there are a lot of controls that you can bring in, like I said, just using the browser and the browser's understanding of the traffic that's passing through it.

The browser being able to understand the device context, like where the user is coming from or information about the device being corporate-owned, etc. So those are critical. I think VPN is kind of still hanging around. It's certainly still an option. There's a lot better VPN options now with the cloud and the number of endpoints that are available where you can use the power of of a cloud-based network and all the various footprints that they have to enable your users to connect from anywhere.

It's not, I'll say new school VPN, right, is not the traditional where it was just, that you always have to come back to my corporate network. I have one internet connection that everybody's going to use. I don't care where you're coming from. You're always going to go through this pipe, right? That's thankfully not true anymore.

So that's another area where...If there still is a need for that kind of VPN access, we can at least now enable that more broadly and scale that out. Lowers latency, right? User experience gets better. And we still get the same levels of security, but in the web and web -based apps, it's really not, not even really needed anymore. Most of this stuff has moved out to the browser. We don't see a ton of use cases for agent -based, you know, running your, running your agent for your VPN. There's still some scenarios, but mostly web based now.

Host: Right, so that speaks about the access, right? Like using some of these new-age VPNs or zero-trust network access tools. From an administrator perspective,

How do you ensure that the data is protected even in a remote-first scenario? Any tips that you have for our listeners?

John Giglio: Yeah. So with the, some of the technologies that we have now, and like, like I mentioned, you know, some of the browser-based controls, you can see how the entirety of the network flow. So everything that's going through that connection. And so what we can do is you can put DLP controls in there now. So I can write rules that say, you know, we're looking at all of the content that's coming and going through the end user's browser.

And now I can see and inspect and apply my corporate, my business DLP rules to the data that's going through there. And then on top of that, something that I really like is the ability that we have now to say, if you are just viewing something or just maybe logging into an application, there's not as much of a requirement for maybe some additional security controls or something.

But the moment that you start accessing data, And you do, like I said, try to download something. Now we're going to verify a few more things, right? Now it's not just you're in our application and you're viewing data. You're trying to exfiltrate data now, right? It's trying to come out of the application. So now I need to know where that data is going. And through those controls, like I said, whether it's a full VPN or a web-based control and, you know, hopefully web-based, it's a much better user experience, but we can do those things now right inside the browser, which is really, really cool!

Host: So I like how you structure it in a way, right? That if you are just maybe logging in, you have a different set of controls. If you are just viewing data, different set of controls. And if you are trying to download or edit something, maybe you have different set of controls. So depending on different levels of activity, you have different set of controls in place, looking at the network traffic or network logs in a way. That makes a lot of sense.

So a… slightly related question that comes to my mind is, like especially around data, is a lot of like particularly in the cloud, we don't think about this though, which is encryption, right? We assume that data is encrypted, we are just accessing it because cloud providers make it very easy for us. And as part of that, there are different concepts that come into mind, right? Like,

You have encryption, you use secrets, you have key management, and stuff like that, which cloud providers abstract quite a bit. So

How do you approach secure management of some of these secrets and keys in the cloud, considering there is a shared responsibility model between the cloud provider and the practitioner or the users?

John Giglio: Yeah, yeah, that's another one that is always an interesting conversation. And I think also varies from business to business. So it's another area where I'll give the consultant an answer, right? It depends because it kind of always does. So that's usually what we see.

And so when we talk to customers about this, there's normally some sort of conversation about starting with the cloud provider, the sort of the default that you were talking about where the provider is controlling that, they're doing it transparently for you, but everything is encrypted at rest in transit, right? They're managing the keys.

And then as we move up to different levels of whether it's compliance or just a need for greater security, greater sensitivity of the data, a higher mission assurance level to use the DOD terms, right? As you kind of move up that scale is where we tend to see the more complex encryption come in.

So maybe with your more sensitive data, you need a external key manager so that you can maintain control of your encryption keys. And so the cloud provider can never share your data if they were asked to by a government or something like that. Even if they did, the data is encrypted and you are the only person with the key.

So bringing in something like that is not typical, so we don't see a lot of customers starting with that. But certainly, when we get into the more security-heavy kind of mostly around compliance, we tend to see it. But that's where we'll start to talk about bringing in an external key manager. Usually that's a third party solution.

So it just brings in that extra layer of separation from the cloud provider. And actually those third-party products in many cases will actually integrate with the cloud provider. So it's still very transparent to the end user, but it gives that extra level of assurance that again, you control your keys. You're the only one that can decrypt your organization's data kind of, you know, you don't have to worry about that.

And there's some, there's some interesting things you can do with that too, when you get to that level. There's some, there's some really interesting conversations around that as well, especially for things like GDPR. I know we're probably getting like way off topic now, but when you talk about, you know, encrypting data and right to be forgotten and, you know, is encrypted data, does that mean nobody can read it anymore? If I destroy the key, does that, you know, get me far enough along? So.

There's a whole lot of conversation there around key management when we get into those things. But yeah, it's typically cloud-first, use the easy stuff for the majority of your information and your more sensitive data using customer-managed, customer-controlled keys.

Host: I should have added a condition that you cannot say it depends.

John Giglio: Haha! Fair! Fair!

Host: And I liked how you brought in government into it, right? Like using custom keys sometimes gives you the advantage that even if the government wants to access it, you have the keys you have encrypted using that. And since you touched on the sort of custom keys and all, there is a constant discussion between cloud-provided keys and custom keys, right? You highlighted some of the scenarios where it makes sense to maybe use custom keys.

In any other scenarios you recommend to your customers that you should use custom keys rather than cloud provider-provided keys.

John Giglio: Yeah, typically the only time I would start somebody there is if we know going in that they have very high compliance requirements. So if we're talking to a customer that wants to do a FedRAMP high or a very high level of security, those right off the bat, there's a strict… hardline requirement in there that says you must use customer-managed keys.

So that's probably the time I would start there. Everywhere else, it's usually just a conversation, like I said, based on the sensitivity of the data, the complexity that they're prepared to deal with as well, because that's another element of it too, right, is that the customer has to understand it and they have to be ready to take on that extra overhead of managing their own keys.

Which is something that the cloud providers take off of your plate in that shared responsibility model. So there are definitely trade -offs there as well. But yeah, typically the super high compliance, that'd be the only place where we would just start off and say, yes, you absolutely need to manage your own case.

Host: That makes a lot of sense. Since you highlighted compliance, I have a question on compliance. That often either because of moving too fast or because of regulatory requirements, organizations often follow a checkbox based approach, right? That, hey, we are compliant to SOC 2 or HIPAA or CIS or something like that. And… there is a debate between compliance-based security and proper security monitoring.

How can organizations find a balance between following a checkbox-based approach versus a deep security program?

John Giglio: Yeah, yeah, the age old question, right? Security versus compliance. Which one is right? So yeah, it's a good question. And so I can tell you, the way I approach this is I always prefer to start with security. And my belief is that if you implement good security practices and you follow best practice security measures, compliance will follow pretty easily.

So in other words, if you're doing things correctly and you're already trying to be the most secure that you can and you're thinking through these things and you're asking questions, some of the stuff that we just talked about, right? How do I do my access? How do I enable these additional security measures like MFA and encryption keys?

If you are striving for security best practices, compliance will become its checkbox, right? It's sort of a reverse methodology there, starting with security. That's the way I always like to approach it is security first and compliance will be easy.

There are some things, of course, that you'll need to do. There's things like policy and whatever that you probably wouldn't necessarily run into through just going through security best practices, thinking with like a technical mindset, because that's something that we get into a lot as well. And I'm guilty of it myself too, just being a super technical kind of person. And I'm like, I want to see the technical bits, right? But in compliance, there's a whole slew of non-technical like HR security that we can tend to forget about.

But still from a… From a controls perspective, it's always best, in my opinion, to start with the security and the compliance will be available. It'll be easy to meet those requirements if you've already got the security best practices in place.

Host: I totally agree. Like if you have the basics done right, then that helps you on both the front side on both security aspects and also helps you with the compliance aspect as well. Now, one last question on this front is like for implementing some of these security controls, often organizations use some security solutions, right? It could be a cloud native or it could be an external vendor.

Do you have any one or two top questions that comes to your mind when you are assessing or evaluating a security tool?

John Giglio: Yeah, so I would, I would approach that, in a way of kind of, again, general, general security is concerned. I think what happens a lot of times is that we don't use the things that we have. So, you know, I think everybody wants to talk about the, the, a great tool and that's, that's all fine. there's plenty of great tools out there, but you know, what.

What I always like to talk about is the capabilities and the tools that will be available. So I think if organizations are focused on the capabilities that they need to have, so kind of again, going back to the security best practices, right? What are the things that you need to be able to do? Forget controls, forget compliance for a second, like, you know, forget tools.

Like what are the activities or like so capabilities that my organization needs to have? I think if you start with that, things can become a lot more clear. It actually can make it easier to choose different tools or things because you have a clear list of, right, these are the, I need to be able to do these things.

And then you can turn around and ask a vendor or, you know, ask somebody that you're working with, can you, you know, can you help me do these things? Is this something that your tool helps my organization to accomplish? So starting with the capabilities, I think, is always the key.

Host: OK, that's on point. One of the things we touched on slightly earlier is about having that baseline done properly or having that foundation set the right way. So we got this question from Rocky from SADA that one of the key aspects of cloud security is building a strong security foundation. And often, organizations spend a ton of time focusing on technical security controls.

So now, beyond the technical controls, how can you use security baselines to promote a culture of security within the organization?

John Giglio: Yeah, it's again a really good, really good topic. We can probably talk for hours on this. And so yeah, thank you, Rocky, for bringing this up!

So I think it's, you know, at the end of the day, there are people, there are humans that have to use these things that we're creating. So I think that baselines are especially important because if I'm...

going to get started. Let's say I'm a new team. I'm a brand new developer or somebody that's, it doesn't really matter if you've used cloud before or you haven't. But having some sort of a baseline and a standard and giving folks as much as we possibly can, you know, we're not going to be able to get them to a hundred percent, but if I can give somebody a baseline that says, Hey, if you need a project in Google cloud, here are some things right here's a deployment standard.

And, you know, hopefully that's even maybe in Terraform or something like that, where they can just fill in the blanks and just give it a name. And it's going to go deploy with all of my security controls. It's going to automatically do things that they might not think of if they were to go do it on their own, like removing the default networks, removing the default allow rule for SSH, removing, you know, owner permissions or the ability to change that project for everybody in the organization, doing those, putting in place those identity and access management things that we talked about, those access controls, giving them as much of that as possible, I think just makes everyone's lives easier.

And at the end of it, right, our organization is more secure as well, because we've started from a best practice place. Our teams don't have to worry about being security experts. We're giving them all the configurations, or they just need to bring their app or… you know, bring their whatever it is, fill in the blanks and they don't have to worry about, you know, all the rest of it.

So I think that can be hugely impactful for an organization is to give that that best practice, have that center of excellence, if you will, that is creating these baselines that meet all those standards already.

Host: So we had a recording with, or in our previous recording with Kushagra, we spoke about baselines. And what you said is very much in line with his views as well, that you need to have the baselines. And I like how you define that maybe you have a deployment like infrastructure as code, which you can use as a template.

And then as you grow, your teams can start using that and then they can customize based on their own needs based on the department they're in or the team they're in. But yeah, very much relevant.

One additional question to that is for baselines, there are generally many data sources which are looked at.

So with today's threat landscape, do you see threat intelligence is also a sort of factor in determining the baseline and continuously improving the security baselines?

John Giglio: Yeah, I would say yes. Maybe a combination of yes and no. I don't see it used a ton in that space as far as baselines go. Baselines are normally, I would say, formed from just a known security best practice. But certainly threat intelligence informs those best practices in the long term.

So yeah, if there is some you know, some new threat that's out there or, you know, some new thing that we find out about because, you know, we're always changing. We're always moving IT security, right? There's always new stuff that comes out.

So, yeah, I could definitely, you know, agree with that and say that threat intelligence would inform our baselines on an ongoing basis. Probably for, from my perspective, I would see that as more of like an update or a maintenance kind of thing where. You know, we've got our baseline, we've got it established, but now we need to keep it, you know, keep it going, make sure it stays relevant, make sure that it's not falling out of, you know, line with what we want it to be moving away from those best practices. So yeah, I could definitely see the link there to threat intelligence for sure.

Host: Okay, I like how you highlighted that it's a continuous process, right? It's not that you define the baseline and you're done. Threat intelligence can be one data source, there can be multiple data. Yeah, why not? Just set it up and then forget about it.

John Giglio: Yeah, we wish, we wish it was that easy.

Host: So last question on security. So this week there was Gartner Security Conference and as part of the keynote, it was highlighted that the 73 % of CISOs in the US felt burnout at some level at their work. So there are a few sub questions anyway. What's your take on it? How do you handle stress and burnout and any tips for let's say first time CISOs?

I know it's a loaded question, but yeah, I'm curious. How do you see this?

John Giglio: It is, yeah.

This is good though, this is good. Yeah, so I mean, I think the first thing in any time we're talking about burnout or any type of stress or anything like that is first of all, just recognizing it, right?

Being able to recognize it, being able to raise your hand and ask for help and say, like, hey, I'm really stressed, right?

I think a lot of times we tend to hide those things as humans. We keep it to ourselves and just like I can deal with this right in my own my own mind in my own right a lot of organizations now I know I know ours does like there's there's a ton of resources and things that are at our disposal that we just ask right we just raise our hand and say hey I'm feeling some stress. I'm a little bit burnt out What what can I do or do you have any tips right? So I think that's the that's the first step is probably just just recognizing it and being not being afraid to just ask for that help in those situations because it's super important. Most people want to help.

So even within your own team, I mean, I've found that even within my own team, like there's plenty of people that I can talk to and just, you know, ask for help and other things that they do, right, get their take on it. So kind of like, like you're asking me right now, like, Hey, what's your take on this? You know, how do you deal with it?

So, and then I think, I think some of the… probably the more common things, one thing that I enjoy doing is just stepping away for a little bit. Often that includes some sort of walking outside or an exercise of some sort. I like to ride my bike. So doing something like that, I think can help a lot with mental state and just getting away, just kind of checking out, right?

Turn off your phone, don't respond to notifications, like give yourself a little break and go do something that you enjoy. And then, you know, hanging out with family or anything like that, right? Go do something that you like. It'll help kind of reset and take off some of that stress.

And then, you know, I mean, I also understand, though, and so I come from a military background, as we mentioned at the beginning, that sometimes you just gotta put your head down and get through it. So, you know, I know there's that element of it, too, but… that should always be, in my opinion, that should always just be a period of time, right? That shouldn't be a continuous thing. So if burnout, and I can totally appreciate it from the CISO's perspective is that it can feel really, really never-ending and that there's always the next thing and there's always, you mentioned it's changing a lot, right? Things are constantly changing.

So unfortunately, I don't think that's ever gonna stop. So we do have to find those ways to deal with it and get through those periods of time where maybe it is a little more intense, but then be able to step away, take those breaks, ask for help, ask for support, and be able to use the resources that we have at our disposal.

Host: I love that response. I think the key and all of those are important, but the key thing is to recognizing that you are feeling burnout and asking for help. Often as humans, we tend to suppress that feeling, right? We're like, yeah, it's okay. I'm burnout, but maybe I don't ask for help. Asking for help often helps you maybe get some tips the way you shared here, right?

And… sometimes stepping away from the scenario you are in or the situation you are in for some time. Like maybe go for a walk, go for a do some activity which is not related to your work might calm you down a little bit and might balance it out. I don't know if it does, but might give it a try, right? What works for you so that you can, you don't feel burnout forever.

John Giglio: Yeah. Yeah. And I'll say, I'll say one more thing on that too. I think another, another thing that can be helpful is, I'll call it small emotional wins, right. and, and prioritization. So I think part of that, that sort of topic of recognizing that it's something that's going to kind of always be a part of, of the job or, you know, part of, of how we live and how we operate, is, is understanding that, okay, what are the top, three things, what are the most important things?

That's actually an exercise that I used to do all the time is just going back through and saying, okay, what is the most important thing? And you can micro this out too, and you can do this every single day and just make a list of what are the top three things that I have to get done today? Like if they, those are the musts. Everything else can kind of fall below that, right? Prioritization on a daily basis and on even a micro basis can help.

But also on a macro basis and thinking about your business and saying, what are the most important, right? What's the most bang for my buck, right? I've got a limited set of time. I've got a limited set of resources. What's most important to my business to protect, to really put security around and really make sure that that part of my business doesn't go under or doesn't experience a security breach or whatever that is for your particular business. So,

And then focusing your efforts on that thing, I think can actually really help to sort of de-stress it a little bit because otherwise it's just, it's too much. There's, it's overwhelming. And that's a lot of times I think where some of the burnout can come from as well as that feeling of just, it's, it's all, you just look at security and it's like, my goodness, it is huge. There's so much that we can do.

And so prioritization I think really helps.

Host: Mm -hmm. Yeah, love that. One thing that I want to add on, like you highlighted on to -do list and prioritization, right? I think I read somewhere or maybe I was listening to a speaker and they were saying that they prepare their to -do list the night before so that you don't even spend time in the morning going through all of your items to do your to -do, like prepare your to -do list or prioritization. Before you go to bed, you create the to -do list, what do you want to achieve the next day?

And that sort of helps you when you get up, you know that, hey, these are the three things I need to work on today.

So with that, we are at the end of the security questions section!

So the next section is around rating security practices.

Rating security practices

The way it works is I'll highlight the, I'll read out a security practice. You need to rate them from one to five, one being the worst and five being the best. Let's start with the first one. The first one is conduct periodic security audits to identify vulnerabilities, threats, and weaknesses in your systems and applications?

John Giglio: Hmm. All right, get out my get out my rating my reading scale here. So All right. So this is this is use usefulness. Is this what we're this is what we're reading here Is how useful these things are for our organizations?

Okay so I would say for that one, I would say it's probably somewhere between a three and a four. We'll go with four. That can be helpful!

Host: Okay. the second one is development regularly test an incident response plan to help quickly detect, respond to, and recover from security incidents.

John Giglio: So that one, let's see, I'm gonna say that that is a four as well. So I'm sensing a pattern here, but a four. Now, if we're reading how often that actually happens, I need to change my number. But as far as usefulness, definitely I would say four as well.

Host:: Heheheheh Yeah, I can understand like usefulness versus practice. There is definitely a gap.

The last one is continuous integration is a must for DevOps practices. Security architecture review should be conducted as part of the DevOps process itself.

John Giglio: Yeah, another one again as far as how often it happens, a much lower number, but important. So that one, that one's pretty important as well for the overall success. So I'm actually going to give that one, I'm going to give that one a five. I'm going all the way on that one.

Host: Love that. So before we end the episode, one last question that we ask all of our guests is any reading recommendation that you have for our audience? It can be a blog or a book or a podcast or anything.

John Giglio: Yeah, absolutely. So I'm a big Gene Kim fan. So anything that he's written, if you haven't dove into that already, I highly recommend. So The Phoenix project is kind of the original there. Really good story. Their security guy happens to be named John. So it was all too relevant for me when I read it as well. It's like, yeah, John's the security guy.

So, but yeah, the Phoenix project for sure, there are a couple of iterations of that, the unicorn project, but anything DevOps related by Gene Kim, absolutely amazing.

Podcast-wise, I would say I'm a little biased, but the Google security podcast is also really good. They do a good job. So Anton and Tim. So that's a really good podcast for security resources as well. It's of course a little specific to Google. Azure has one too. Azure Fridays, those are also really good. So that'd be my recommendation.

Host: Lovely! With that note, thank you so much, John, for coming to the podcast and sharing your experience with our audience.

John Giglio: Absolutely. Thank you for having me.

Host: Absolutely. It was fun. And for our audience, thank you so much for watching. See you in our next episode. Thank you.